7.13. Disabling SASL Mechanisms

The root dse attribute supportedSASLMechanisms lists the SASL mechanisms that are currently supported by the Directory Server instance. However, editing that attribute does not change which mechanisms are supported. Directory Server uses the installed Cyrus SASL libraries to generate the list of supported SASL mechanisms. These libraries are located in /usr/lib[64]/sasl2/.
To change the list of SASL mechanisms supported by Directory Server:
  1. Create a private SASL directory for the Directory Server instance to use. For example:
    mkdir /etc/dirsrv/slapd-instance_name/sasl2
  2. Open that directory.
  3. Create symlinks from the Cyrus SASL directory plug-ins to the instance directory. For example:
    [root@server ~]# cd /etc/dirsrv/slapd-instance_name/sasl2 ; for file in /usr/lib64/sasl2/*.so* ; do
       ln -s $file
  4. Remove the symlinks for the mechanisms that should not be supported in the Directory Server instance. For example:
     rm *cram*
  5. Edit the Directory Server start shell script so that it uses the Directory Server instance's SASL directory.
    vim  /usr/lib[64]/dirsrv/slapd-example/start-slapd
    SASL_PATH=/etc/dirsrv/slapd-instance_name/sasl2 ; export SASL_PATH
  6. Restart the Directory Server.
    service dirsrv restart


Cyrus SASL can set a specific list of mechanisms to use for different applications within its own configuration, in a /usr/lib/sasl/appName.conf file.
For more information, see the Cyrus SASL administrator's documentation at http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/1.5.28/sysadmin.php.